Response to the Office Action of April 29, 2009 
Serial No. 10/733,326 

Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 

application. 
Listing of Claims: 

1 . (currently amended) A method of secure session management for a web farm, the web farm 
including a first server and a second server, the second server having a requested web page, 
the method comprising: 

receiving, at the first server, a request for the requested web page from a browser, said 
request including an encrypted session token associated with a session : 

decrypting said encrypted session token at the first server to obtain a d e crypt e d s e ss i on 
teke fl session ID and a timestamp ; 

redirecting said request to the second server, including transmitting said s e ss i on tok e n 
session ID and said timestamp directly to the second server; and 

verifying said d e crypt e d session token. 

2. (previously amended) The method claimed In claim 1 , further including creating a new session 
token, encrypting said new session token at the second server to produce a new encrypted 
session token, and transmitting a response to said browser from the second server, wherein 
said response includes said new encrypted session token. 

3. (currently amended) The method claimed in claim 2, wher ei n said d e crypt e d s e ssion token 
i nc l ud e s a s e ss i on ID and a t i m e stamp, and wherein said creating a new session token includes 
generating a new session ID and updating said timestamp. 
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4. (currently amended) The method claimed in claim 2, further including updating a common 
session database by replacing said d e crypt e d s e ssion tok e n session ID and said timestamp with 
said new session token in said common session database. 

5. (cancelled) 

6. (currently amended) The method claimed in claim §1, wherein a common session database 
contains a stored session ID and a stored timestamp, and wherein said verifying includes 
comparing said session ID and said timestamp with said stored session ID and said stored 
timestamp. 

7. (currently amended) The method claimed in claim §1, further including determining whether 
[[a]] said session has timed out, said step of determining including determining an elapsed time 
between said timestamp and a current server time, and comparing said elapsed time with a 
predetermined maximum time to determine whether said session has timed out. 

8. (previously amended) The method claimed in claim 7, including closing said session if said 
session has timed out. 

9. (currently amended) The method claimed in claim 1, wherein said transmitting includes 
incorporating said d e crypt e d sess i on tok e n session ID and said timestamp into a URL. 

1 0. (currently amended) The method claimed in claim 1 , wherein a session management web 
service performs said verifying, said session management web service being accessible to said 
first server and said second server, and wherein said verifying includes comparing said 
decrypt e d s e ss i on tok e n session ID and said timestamp with stored session data. 

1 1 . (Original) The method claimed in claim 10, wherein the web farm further includes a common 
session database containing said stored session data. 

12. (Original) The method claimed in claim 1, wherein said requested web page includes a web 
resource selected from the group including an applet, an HTML page, a Java server page, and 
an Active server page. 
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13. (currently amended) A system for secure session management, the system being coupled to 
a network and receiving a request for a requested web page from a browser via the networl<, the 
request including an encrypted session tol<en, the system comprising: 

a first server including a first request handler for receiving the request and decrypting the 
encrypted session token to produce a d e crypt e d s e ss i on tok e n session ID and a 
timestamp ; 

a second server including the requested web page; 

a common session database including stored session data; and 

a session management web service, accessible to said first server and said second 
server and including a validation component for comparing said d e crypt e d s e ssion tok e n 
session ID and said timestamp with said stored session data; 

said first request handler adapted to redirect the request to said second server and 
transmit the decrypted s e ss i on tok e n session ID and said timestamp directly to said 
second server. 

14. (Original) The system claimed in claim 13, wherein said session management web service 
includes a token generator for creating a new session token for said second server, and wherein 
said second server includes a second request handler, said second request handler encrypting 
said new session token to produce a new encrypted session token and transmitting a response 
to said browser, wherein said response Includes said new encrypted session token. 

15. (currently amended) The system claimed in claim 14, wh e r e in sa i d d e crypt e d s e ss i on token 
i nc l ud e s a s e ss i on ID and a tim e stamp, and wherein said token generator generates a new 
session ID, and updates said timestamp based upon a current server time. 

16. (currently amended) The system claimed in claim 14, wherein said session management 
web service replaces said decrypt e d s e ss i on token session ID and said timestamp within said 
common session database with said new session token. 
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17. (cancelled) 

18. (currently amended) The system claimed in claim 4^ 14, wherein said stored session data 
includes a stored session ID and a stored timestamp, and wherein said validation component 
compares said session ID and said timestamp with Sjaid stored session ID and said stored 
timestamp. 

1 9. (currently amended) The system claimed in claim 47 14. wherein said validation component 
further determines an elapsed time between said timestamp and a current server time, and 
compares said elapsed time with a predetermined maximum time to determine whether a 
session has timed out. , 

20. (Original) The system claimed in claim 19, wherein said session management web service 
closes said session if said validation component indicates said session has timed out. 

21 . (currently amended) The system claimed in claim 13, wherein said first request handler 
incorporates said d e crypt e d s e ssion tok e n session ID and said timestamp into a URL in order to 
transmit said session token to said second server. 

22. (Original) The system claimed in claim 13, wherein the requested web page includes a web 
resource selected from the group including an applet, an HTML page, a Java server page, and 
an Active server page. 

23. (currently amended) A computer program product having a computer-readable medium 
tangibly embodying computer executable instructions for secure session management for a web 
farm, the web farm including a first server and a second server, the second server having a 
requested web page, the computer executable instructions Including: 

computer executable instructions for receiving, at the first server, a request for the 
requested web page from a browser, said request including an encrypted session token 
associated with a session : 

computer executable instructions for decrypting said encrypted session token at the first 
server to obtain a d e crypt e d s e ss i on tok e n session ID and said timestamp : 
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computer executable instructions for redirecting said request to tlie second server, 
including computer executable instructions for transmitting said d e crypt e d s e ss i on tokon 
session ID and said timestamp directly to the second server; and 

computer executable instructions for verifying said d e crypt e d session tok e n . 

24. (Original) The computer program product claimed in claim 23, further including computer 
executable instructions for creating a new session token, encrypting said new session token at 
the second server to produce a new encrypted session token, and transmitting a response to 
said browser from the second server, wherein said response includes said new encrypted 
session token. 

25. (currently amended) The computer program product claimed in claim 24, wh e r ei n said 
d e crypt e d s e ss i on tok e n inc l ud e s a s e ssion I D and a tim e stamp, and wherein said computer 
executable instructions for creating a new session token include computer executable 
instructions for generating a new session ID and updating said timestamp. 

26. (currently amended) The computer program product claimed in claim 24, further including 
computer executable instructions for updating a common session database by replacing said 
d e crypt e d s e ss i on tok e n session ID and said timestamp with said new session token in said 
common session database. 

27. (cancelled) 

28. (currently amended) The computer program product claimed in claim 27 23, wherein a 
common session database contains a stored session ID and a stored timestamp, and wherein 
said computer executable instructions for verifying include computer executable instructions for 
comparing said session ID and said timestamp with said stored session ID and said stored 
timestamp. 

29. (currently amended) The computer program product claimed in claim 27 23, further including 
computer executable instructions for determining whether [[a]] said session has timed out, said 
computer executable instructions for determining including computer executable instructions for 
determining an elapsed time between said timestamp and a current server time, and comparing 
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said elapsed time with a predetermined maximum time to determine whether said session has 
timed out. 

30. (Original) The computer program product claimed in claim 29, including computer executable 
instructions for closing said session if said session has timed out. 

31. (currently amended) The computer program product claimed in claim 23, wherein said 
computer executable instructions for transmitting include computer executable instructions for 
incorporating said d e crypted s e ssion tok e n session ID and said timestamp into a URL. 

32. (currently amended) The computer program product claimed in claim 23, wherein said 
computer executable instructions for verifying comprise a session management web service, 
said session management web service being accessible to said first server and said second 
server, and wherein said computer executable instructions for verifying include computer 
executable instructions for comparing said d e crypt e d sess i on tok e n session ID and said 
timestamp with stored session data. 

33. (Original) The computer program product claimed in claim 32, wherein the web farm further 
includes a common session database containing said stored session data. 

34. (Original) The computer program product claimed in claim 23, wherein said requested web 
page includes a web resource selected from the group including an applet, an HTML page, a 
Java server page, and an Active server page. 
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